An integer overflow can happen when looping over items in a list.
This can only happen in rare conditions on 32 and 64-bit systems, as the list must contain more than 2,147,483,647 elements.
On 16-bit systems, this happens with a list that contains more than 32,767 elements.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.
Credit
The issue was discovered by Yiheng Cao.
WSA-2021-1: [Relay] Crash on malformed websocket frame in relay plugin.
A crash happens when decoding a malformed websocket frame in relay plugin.
This happens even if a password is set in relay plugin, the malformed websocket frame can be received before the authentication of the client.
Mitigation
There are multiple ways to mitigate this issue:
Rremove all relays, see: /help relay
Unload relay plugin with command: /plugin unload relay and see: /help weechat.plugin.autoload
Secure relay to allow only some trusted IP addresses, see: /help relay.network.allowed_ips
Credit
The issue was discovered by Stuart Nevans Locke.
WSA-2020-3: [IRC] Buffer overflow on new IRC message 005 with nick prefixes.
A buffer overflow happens when a new IRC message 005 is received with longer nick prefixes.
Note: a "normal" IRC server should not send again a message 005 with new nick prefixes, so the problem should be limited to malicious IRC servers.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.
Credit
The issue was discovered by Stuart Nevans Locke.
WSA-2020-2: [IRC] Crash on malformed IRC message 352 (WHO).
Date/time conversion specifiers are expanded after replacing buffer local variables in name of log files. In some cases, this can lead to an error in function strftime and a crash caused by the use of an uninitialized buffer.
Mitigation
You can unload the logger plugin, thus stopping recording of all buffers: /plugin unload logger.
Credit
The issue was discovered by Joseph Bisch.
WSA-2017-1: [IRC] Buffer overflow when receiving a DCC file.